Behaviors. Adversaries. Damage.
A working reference to the language of compromise: what attackers do, who they are, and the damage they leave behind. The techniques, the actors, the campaigns, and the artifacts an analyst will name out loud during triage.
Foundational behaviors, attacker techniques, and broad offensive concepts.
Adversary traversal across an environment after initial access. Each hop expands the blast radius and adds new entities for Subject to map. In real intrusions the movement is rarely linear and often piggybacks on legitimate authentication.
The climb from standard user to admin to SYSTEM to domain admin. Triage often catches the first hop; mature SOCs catch the second. Catching the climb in progress is the difference between a contained incident and a full domain compromise.
Why removing the malware is rarely enough. Mature adversaries plant multiple anchors (registry Run keys, scheduled tasks, services, WMI event subscriptions) so reboots, password resets, and even partial cleanups leave at least one foothold intact. Defenders need to enumerate every place persistence might hide before they can call a host clean.
Untrusted input concatenated straight into a SQL query. The classic payload โ OR โ1โ=โ1โ โ turns the query into a tautology and returns every row. The same characters get parsed as syntax instead of data.
The patch counter sits at zero. The vendor has not shipped a fix; possibly does not yet know the bug exists. Exploits in the wild outpace mitigation. The window between disclosure and patch is when zero-days do the most damage, and the most expensive ones never publicly disclose at all.
Windows User Account Control should prompt before elevation. Bypass techniques (abusing auto-elevating binaries like fodhelper.exe, eventvwr.exe, or registry hijacks) skip the prompt entirely. The dialog never fires and the privilege escalation succeeds silently.
A prolonged, covert cyberattack by a skilled adversary, often state-sponsored, that gains and maintains unauthorized access to a network.
A persistence technique that abuses Windows Component Object Model (COM) registry entries to hijack the execution flow of legitimate applications.
A system under attacker control, often used for lateral movement, staging malware, or maintaining persistence within a network.
Techniques used to avoid detection and interference from security tools, including obfuscation, disabling defenses, and mimicking legitimate activity.
An attack that breaks out of a restricted environment (container, VM, sandbox) to gain access to the underlying host system.
The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools.
The first step of a breach, where attackers gain a foothold in the environment through phishing, exploits, credential abuse, or exposed services.
Risk of harm originating from a person with authorized access, typically through negligence, mistake, or policy violation rather than deliberate intent. Distinct from insider threat, which is deliberate.
A trusted internal user who intentionally abuses their access to cause harm, steal data, or assist external attackers.
The removal of OS-level security restrictions, particularly on iOS devices, to allow unauthorized control, often used maliciously.
An attackerโs method of traversing a network to escalate access, find sensitive data, or reach higher-value targets.
A technique that exploits flaws in system logic or workflows, rather than code, to bypass controls or cause disruption.
Software designed to disrupt, damage, or gain unauthorized access to systems. Encompasses ransomware, trojans, worms, viruses, spyware, wipers, rootkits, and the other malware families catalogued below.
The delivery and installation of malicious software, tools, or scripts intended to perform an attackerโs objectives.
Tactics that maintain access across reboots, updates, or password changes. Multiple anchors, Run keys, scheduled tasks, services, WMI event subs.
The phase where the attacker explores the environment, escalates access, exfiltrates data, or sets up long-term control.
The reconnaissance and scanning phase, where attackers gather intelligence and identify vulnerabilities before launching an attack.
The sequential use of multiple smaller privilege escalations or credential compromises to progressively gain more powerful access.
The act of increasing privileges on a system. Standard user โ admin โ SYSTEM โ domain admin.
Running commands or malicious code on a target system from a remote location, often via exploits or administrative tools.
Code injection where malicious SQL is inserted into input fields to manipulate backend databases.
A two-phase delivery process where a lightweight stager downloads and executes a more complex secondary payload.
The unauthorized modification of system configurations, binaries, or behaviors to support attacker goals or disrupt operations.
Circumventing Windows User Account Control prompts to gain elevated privileges without user approval.
A previously unknown vulnerability with no patch, exploited before the vendor can respond.
Named groups and individuals known for malicious cyber activity. Their tradecraft, motivations, and historical campaigns shape modern triage.
Chinese state-sponsored group associated with global IP theft. Their Cloud Hopper campaign targeted managed service providers (MSPs) to compromise downstream customers. Focus: healthcare, defense, aerospace, tech. Uses RedLeaves, custom loaders, spear-phishing, credential theft, and cloud-service abuse aligned with Chinaโs economic and military goals.
Linked to Russiaโs GRU and known for aggressive operations. Credential harvesting, malware deployment, destructive attacks against political and military targets. Tied to the 2016 DNC breach and many NATO-related campaigns. Leverages zero-days and weaponized Office documents. Noisier and more direct than APT29; a primary actor in Russian hybrid warfare.
Sophisticated espionage group associated with Russiaโs SVR. Stealth and long-term access. Targets governments, think tanks, healthcare, vaccine researchers. One of the groups behind SolarWinds (UNC2452). Custom malware, living-off-the-land, well-crafted spear-phishing. Operations often go undetected for months. Modular tooling, adaptive infrastructure.
Iranian government-linked group targeting aerospace, energy, and critical infrastructure. Mixes espionage with destructive operations including Shamoon wiper variants. Phishing campaigns tied to fake aviation job postings. Represents Iranโs evolving cyber capability and willingness to engage in hybrid warfare.
Iranian group conducting espionage against academics, human rights activists, and government entities. Phishing, fake social personas, credential harvesting. Known for impersonating journalists and think tanks. Supports Iranโs strategic interests in surveillance and foreign intelligence collection. Active for over a decade.
Former NSA contractor who leaked classified documents revealing global surveillance programs. Not a traditional threat actor, but his disclosures had massive impact on public awareness, policy, and cybersecurity posture. Viewed variously as a whistleblower, a leaker, or a traitor. A touchpoint for discussions on data access, civil liberties, and operational secrecy.
Russian cybercrime group behind the Dridex banking trojan and BitPaymer / WastedLocker ransomware. Hundreds of millions stolen from global financial institutions. U.S. Treasury has sanctioned the group and its alleged leader Maksim Yakubets. Has continued operations under new malware names to evade sanctions and tracking.
Well-organized cybercrime group conducting large-scale intrusions against banks, POS systems, and hospitality. Financially motivated but operationally on par with nation-state actors. Developed Carbanak and Bateleur malware families. Uses phishing, backdoors, supply-chain compromise. Has rebranded after arrests, including via fronts like Combi Security.
Suspected Chinese state-sponsored group, widely known for exploiting Microsoft Exchange zero-days in 2021. Web-shell deployment and widespread data theft from education, law firms, NGOs, and defense contractors. Uses a mix of custom malware and commercial tools, including C2 over compromised Exchange servers.
Loosely organized group known for extortion, data leaks, and high-profile breaches. Access via SIM-swapping, credential theft, and insider recruitment rather than malware. Thrives on media attention and public-facing leaks. Members believed to be primarily teenagers, with arrests in the UK. Disruption over stealth.
Umbrella term for several North Korean operations under the Reconnaissance General Bureau. Espionage, sabotage, and financially motivated attacks: Sony Pictures, WannaCry, bank and crypto-exchange theft. Blends APT tradecraft with cybercrime to fund the regime. Strategic patience plus opportunistic targeting.
Destructive GRU unit behind the 2015 / 2016 Ukraine power grid attacks (BlackEnergy, Industroyer) and the global NotPetya wiper. Tools include VPNFilter, KillDisk, Cyclops Blink. Specializes in ICS/OT disruption, hybrid warfare, and psychological operations. Aligned with Russian military objectives.
Collective term for Nigerian actors conducting Business Email Compromise fraud. Less technically advanced than APTs but highly profitable. Phishing, credential theft, social engineering to divert funds from corporate communications. Many actors operate openly on social media. Hundreds of arrests, but the group continues to evolve.
Prolific cybercriminal group distributing banking trojans, ransomware, and RATs globally. Frequent massive phishing waves delivering Dridex, FlawedAmmyy, Locky. Often acts as an initial-access broker for other groups. Frequently shifts tactics, payloads, and infrastructure. Exemplifies the malware-as-a-service model.
Long-running Russian cyber-espionage group linked to the FSB. Targets governments, embassies, militaries. Custom implants like Snake, Carbon, Kazuar. Hijacks infrastructure from other malware families to obfuscate attribution. Watering holes, poisoned updates, compromised email systems. Tradecraft emphasizes longevity and covertness.
Mandiant designation for the threat group behind the SolarWinds supply-chain compromise, later linked to APT29. Introduced the SUNBURST backdoor into Orion updates, affecting U.S. government agencies and Fortune 500 companies. Stealthy lateral movement and privilege escalation. Undetected for months. A landmark case for software trust chains.
Russia-based cybercriminal group behind Ryuk, Conti, and TrickBot. Financially motivated; hundreds of millions extorted from hospitals, municipalities, corporations. Operates within a larger ecosystem of IABs and malware developers. Fast lateral movement, data theft, double extortion. Often preceded by TrickBot or BazarLoader infections.
High-impact, widely analyzed intrusions and operations that shaped modern security thinking.
The watershed cyber-physical weapon. Stuxnet altered centrifuge speeds at Iranโs Natanz facility while feeding operators normal readings on the SCADA HMIs. The gap between what the equipment was doing and what the monitors reported is the breakthrough that turned malware into a tool of kinetic effect.
WannaCry used the EternalBlue exploit (MS17-010) to propagate through SMB to any unpatched host it could reach. From patient zero, it spread autonomously by scanning local subnets and random IPs, infecting roughly 200,000 systems across 150 countries within 24 hours of the May 12, 2017 outbreak. By the time most SOCs had triaged the first alert, the second wave of hosts was already encrypting. That speed is what โwormableโ means in practice: the malware does its own lateral movement; defenders donโt get the usual reaction window.
Political consulting firm that improperly harvested data from 87 million Facebook users. Psychological profiling and micro-targeted ads aimed at influencing the 2016 U.S. election and Brexit. Not a traditional cyberattack, but exposed serious flaws in data privacy and third-party app oversight. Triggered global debate about surveillance capitalism and election interference; GDPR enforcement followed.
Widespread espionage campaign by Chinaโs APT10 targeting MSPs globally. Compromising MSPs gave attackers stealthy access to customer networks across aerospace, finance, manufacturing, and healthcare. Credential theft, custom malware, and RATs. Victims often unaware due to the trusted MSP position. A textbook example of supply-chain compromise for espionage.
May 2021 ransomware incident attributed to DarkSide that hit the IT systems of one of the largest fuel pipeline operators in the U.S. The company preemptively shut down operations, causing East Coast shortages. Initial access via a compromised VPN password. $4.4M ransom paid; partly recovered by the U.S. government. Spurred new cybersecurity mandates for pipeline operators.
2017 breach exposing PII (SSNs, birth dates, addresses) for 147 million Americans. Caused by failure to patch Apache Struts (CVE-2017-5638). Attackers operated undetected for weeks. Handling and disclosure drew widespread criticism. Resulted in a historic $700M settlement and regulatory reforms focused on data protection.
CVE-2021-44228, a critical RCE in Apache Log4j. Attacker-controlled input is interpolated into a log message that triggers a JNDI lookup, which loads and executes a remote class. Disclosed December 2021, exploited globally within hours. Affected vast swaths of Java applications. Renewed calls for software bill-of-materials and open-source security funding. Reset assumptions about transitive-dependency risk.
Early 2021 chain of zero-day exploits in Microsoft Exchange Server. Tens of thousands of orgs affected globally, government, academic, business. Web shells deployed for data theft, persistence, and lateral movement. Out-of-band patches issued. Raised concerns about on-premises Exchange security and patch management.
Destructive cyberattack masquerading as ransomware, attributed to Russiaโs GRU Sandworm. Spread via a compromised update to Ukrainian accounting software (MeDoc), then jumped globally. Irreversibly wiped disks despite the ransom note. Maersk, Merck, FedEx among the victims. Billions in damages and a defining case study in supply-chain abuse.
2009โ2010 China-attributed intrusions targeting Google, Adobe, and dozens of others. Zero-day in Internet Explorer used to deploy backdoors and steal source code and IP. Googleโs public disclosure was a turning point in public discussion of state-sponsored industrial espionage and APTs.
2019 supply-chain compromise of the ASUS software update utility. Compromised updates were signed and shipped from ASUSโs own servers, reaching hundreds of thousands. Payload activated only on specific targets, suggesting selective espionage. Stolen certificates plus supply-chain trust. Linked to nation-state-capable APT activity.
2015 breach compromising SF-86 background investigation records (and fingerprints) for 21+ million U.S. federal personnel. Attributed to Chinese state-sponsored actors. A goldmine for counterintelligence. Major reforms in U.S. government cybersecurity practices and incident response readiness followed.
2014 destructive attack attributed to North Koreaโs Lazarus Group, reportedly in retaliation for The Interview. Wiper malware, leaked unreleased films, and exposed executive communications. Blended political retaliation, information warfare, and corporate sabotage. First high-profile nation-state attack on a private company over content.
Late-2020 supply-chain compromise of SolarWinds Orion. Trojanized update gave APT29 / UNC2452 backdoor access to thousands of customers including U.S. government agencies and Fortune 500 firms. Stealthy command-and-control, lateral movement, and data exfiltration over months. Reshaped trust assumptions around software vendors.
Landmark cyberweapon developed jointly by the U.S. and Israel to disrupt Iranโs nuclear enrichment. Multiple zero-days and PLC-specific payloads targeted Siemens controllers at Natanz. Altered centrifuge speeds while reporting normal readings. First malware known to cause real-world industrial damage. Inspired subsequent ICS-targeting malware.
2013 breach compromising payment data for 40 million customers and PII for 70 million more. Initial access via a compromised HVAC contractor; lateral movement to POS systems; malware on registers captured card data. A landmark for third-party risk management and network segmentation. Hundreds of millions in costs and executive resignations.
2015 and 2016 attacks marking the first known successful cyberattacks to cause power outages. Attributed to Russiaโs Sandworm. Spear-phishing plus BlackEnergy to gain SCADA access; operators locked out as breakers were opened manually. 2016 used Industroyer / CrashOverride targeting grid-specific protocols. Defining examples of cyber warfare against civilian infrastructure.
May 2017 ransomware outbreak using EternalBlue (NSA SMB exploit leaked by Shadow Brokers). Wormed across networks, encrypting files in 150+ countries; the UK NHS was hit hard. Microsoft had released the patch beforehand, but many systems were unpatched. Attributed to North Koreaโs Lazarus Group. A wake-up call on patch hygiene.
July 2023 intrusion in which a China-aligned actor forged Azure AD access tokens using a stolen Microsoft consumer-MSA signing key, reading emails of ~25 organizations including U.S. State Department and Commerce officials via Outlook Web Access. The key should not have signed enterprise tokens; a validation gap let it. Reshaped how the industry talks about identity-provider key custody, token-binding, and the blast radius of a single signing key.
MayโJune 2023 zero-day SQL-injection in Progress Softwareโs MOVEit Transfer (CVE-2023-34362), exploited at scale by the Cl0p ransomware group. Thousands of organizations affected via the file-transfer vendorโs customer base, U.S. federal agencies, state DMVs, Fortune 500 firms. A defining case for third-party-software risk and for ransomware groups shifting from encryption to pure data-extortion.
October 2023 intrusion of Oktaโs customer support case-management system. Attackers used a service-account credential found in a Google account session to access HAR files customers had uploaded for troubleshooting, HAR files that contained valid session cookies. Drove home that โsupportโ surfaces handle production credentials and need the same identity-provider rigor as the products themselves.
March 2024. A multi-year social-engineering campaign by a fictitious maintainer (โJia Tanโ) inserted a stealthy backdoor (CVE-2024-3094) into the xz/liblzma compression library that would have given remote SSH code execution on Linux systems linked against the affected build. Caught by chance by a Microsoft engineer noticing a 500ms slowdown. A defining open-source supply-chain case and the catalyst for renewed maintainer-trust scrutiny.
AprilโJune 2024. A threat group later tracked as UNC5537 used credentials harvested from infostealer logs to access Snowflake customer environments that had no MFA configured. Victims included Ticketmaster, Santander, AT&T, LendingTree. Not a Snowflake CVE, a customer-side identity hygiene failure at scale. Drove the industry-wide push for MFA-mandatory cloud SaaS access.
2024 disclosures of two long-running China-linked campaigns against U.S. critical infrastructure. Volt Typhoon pre-positioned in energy, water, communications, and transportation networks using living-off-the-land techniques for stealthy persistence. Salt Typhoon compromised major U.S. telecom carriersโ lawful-intercept systems with potential access to call metadata and the federal wiretap apparatus. Reframed the boundary between espionage and prepositioning for disruptive action.
Categories of malware defined by technique, payload style, and evasion characteristics.
Malware that encrypts a victimโs files or systems and demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware operators add data theft and public-leak extortion. In telemetry, the encryption sweep shows as rapid sequential file writes across the filesystem.
Many infected machines (bots) coordinating to a central controller. The rhythm of regular check-ins is what defenders look for. DDoS, credential stuffing, spam, and proxy abuse all ride on this primitive. Modern botnets span PCs, servers, routers, and IoT.
The destructive cousin of ransomware. There is no decryption key, no negotiation, no recovery; wiper overwrites data structures so the disk cannot be restored. NotPetya, Shamoon, and WhisperGate all wore the ransom-note costume while quietly destroying the underlying data.
Malware that displays unwanted advertisements, often bundled with legitimate software. Advanced adware can harvest data or serve as a delivery mechanism for more serious malware.
Malicious code that provides unauthorized access to a compromised system, bypassing normal authentication. Often installed post-exploitation to maintain persistent remote control.
Malware designed to steal banking credentials and financial information by intercepting login sessions, injecting fake forms, or logging keystrokes. Often targets online banking and payment systems.
Lightweight malware designed solely to download and execute a more substantial payload, often a banking trojan or ransomware. Examples include Emotet, ZLoader, Smoke Loader.
Highly persistent malware that infects the bootloader or Master Boot Record to gain control before the OS loads. Difficult to detect or remove since they operate beneath the operating system.
A network of infected machines (bots) controlled by a central attacker, used for DDoS, spam, credential stuffing, and more.
Malware that simulates user clicks on advertisements to generate fraudulent revenue. Often run on compromised systems in large volumes to exploit pay-per-click ad platforms.
Tooling that uses encryption or obfuscation to hide malicious code and evade antivirus. Not malicious on their own but commonly paired with trojans, RATs, or ransomware.
Malware that operates in memory without writing files to disk, harder to detect with traditional AV. Often leverages legitimate system tools like PowerShell or WMI for execution.
Software that harvests sensitive data from victims: passwords, cookies, browser history, autofill. Commonly used in initial-access phases of broader attack campaigns.
Designed to infect Internet of Things devices like routers, cameras, smart appliances. Often used in botnets (e.g., Mirai) due to weak authentication and outdated firmware.
Malicious code triggered by specific conditions, such as a date or user action. Can remain dormant until activated, then execute destructive or stealthy functions.
Malware targeting mobile devices, often distributed via malicious apps or phishing links. Includes SMS stealers, fake banking apps, mobile RATs.
Malware that constantly changes its code or appearance to evade signature-based defenses. Underlying functionality remains the same despite changing forms.
Malware that encrypts a victimโs files and demands payment for the key. Modern ransomware often includes data theft and extortion.
Malware that masquerades as legitimate software and, once installed, gives the operator interactive remote control of the host. The trojan delivery is load-bearing: the user runs it willingly. Common capabilities include keylogging, screen capture, file transfer, and webcam access.
Malware that hides its presence by subverting the OS or using kernel-level access. Often combined with other malware to maintain stealth and persistence.
Software that tricks users into believing their device is infected, pressuring them to buy fake antivirus tools. Often a social-engineering precursor to real malware.
Malware that secretly monitors user activity: keystrokes, screen captures, camera or microphone access. Used for surveillance, espionage, or credential theft.
Malware designed to irreversibly delete data and destroy system functionality. NotPetya, Shamoon, WhisperGate.
Named tools and campaign malware tied to specific actors or operations.
Sophisticated ransomware-as-a-service operation, one of the first to use Rust, making detection and analysis harder. Highly customizable Windows / Linux payloads, double-extortion with leak-site shaming. Successor to BlackMatter / REvil. Aggressive targeting of critical infrastructure and high-profile enterprises.
Legitimate post-exploitation tool widely abused for C2, lateral movement, and credential harvesting. Beaconing, fileless injection, encrypted comms. Pirated and cracked versions used by APTs, ransomware gangs, and commodity malware. Frequently paired with TrickBot or BazarLoader to coordinate ransomware deployment.
One of the most prolific ransomware groups before disbanding in 2022. Centralized structure, professional affiliate model, human-operated intrusions. Used Cobalt Strike and TrickBot for movement. Internal chat-log leaks in 2022 exposed structure, operations, and finances. Many former members moved to BlackCat or Royal.
Banking Trojan evolved into a modular platform for credential theft, lateral movement, and ransomware delivery. Spread via Word macros; injects into browsers to harvest banking credentials. Used to deploy Locky and BitPaymer. Associated with Evil Corp. Still under active development despite arrests.
Open-source post-exploitation framework with Python-based agents (EmPyre is the macOS/Linux branch; Empire is the PowerShell/Windows branch). Originally a red-team tool, adopted by various actors. Encrypted C2, evasion techniques, in-memory execution. Less common in the wild than Cobalt Strike, but its presence in a compromise should be treated as a high-risk indicator. Not a backdoor.
Banking Trojan turned loader frequently used to drop Cobalt Strike, TrickBot, or ransomware. Spread through malicious documents and phishing. Modular: credential theft, web injection, lateral movement. Persistence via scheduled tasks and registry keys. A key player in post-intrusion ransomware operations.
Pioneer of double extortion, encryption plus data theft to pressure victims. RaaS model with public leak blog. Exploited RDP, phishing, and known vulnerabilities; used Cobalt Strike and Mimikatz internally. Announced retirement in late 2020, but affiliates continued under banners like Egregor and Sekhmet.
Multifunctional banking Trojan and malware dropper that evolved into a full-featured loader. Email-thread hijacking for phishing. Persistence, network discovery, credential harvesting, encrypted C2. Cornerstone of many enterprise compromises. Coordinated international disruption in 2023, but variants may persist.
Infostealer sold on underground forums. Harvests credentials, browser data, cryptocurrency wallets, and system information. Distributed via cracked software, malvertising, phishing, and fake installers. JSON-over-HTTP/S C2. Customizable and affordable; popular among low-skill actors and initial-access brokers.
High-impact ransomware operated by Wizard Spider, typically delivered via TrickBot or BazarLoader. AES/RSA file encryption. Targets hospitals, municipalities, critical infrastructure. Fast encryption, kills backup and recovery processes. Operators are believed to overlap heavily with the subsequent Conti operation, which is generally treated as the successor brand.
Destructive wiper associated with Iranian state-sponsored actors. Infamous for the 2012 and 2016 attacks on Saudi Aramco. Overwrites MBR with provocative imagery, renders devices inoperable. Spreads via stolen credentials and admin shares. Primary goal is destruction, not financial gain.
Began as a banking Trojan, evolved into a modular enterprise-scale framework. Credential theft, recon, ransomware delivery. Often followed Emotet, provided a foothold for Ryuk or Conti. Decentralized infrastructure, encrypted comms, plugins for SMB spread and AD enumeration. Disrupted in 2022 after years of activity.
Widely distributed infostealer harvesting credentials, browser data, cookies, cryptocurrency wallets, and more. Delivered via phishing, malvertising, fake installers. HTTP POST C2 with encrypted exfiltration. Customizable and available as malware-as-a-service. Often bundled with or mistaken for RedLine / Raccoon.
Destructive malware attributed to Russian actors, deployed against Ukraine in 2022. Masquerades as ransomware but irreversibly corrupts the MBR and deletes system files. Two-stage: first corrupts the bootloader, second drops a wiper. No recovery mechanism, disruption, not finance. Echoed NotPetya tactics.
Real-world CVEs and architectural flaws that adversaries used at scale.
OpenSSL heartbeat extension flaw that lets a remote attacker read up to 64KB of memory per request: keys, passwords, session tokens, anything in the serverโs heap. The attack leaves no obvious log traces, which is why the post-disclosure cleanup required mass key rotation across the internet.
One line of user input becomes remote code execution. The JNDI lookup inside $${jndi:ldap://...} tricks Log4j into contacting attacker-controlled infrastructure, which returns a payload that the JVM then executes. Four steps in sequence: an attacker submits a string, Log4j resolves it, LDAP serves a malicious class, the JVM runs it.
Critical RDP vulnerability allowing remote code execution without authentication. Affects older Windows. โWormableโ, could self-propagate like WannaCry. Microsoft issued an emergency patch. Highlighted the danger of exposing RDP directly to the internet.
Linux kernel privilege escalation via a race condition in the copy-on-write handling of memory mappings. An unprivileged process with read access to a file can race the COW path to write the underlying page, modifying files it should only be able to read, including system binaries owned by root. Widely used in rootkits and Linux malware. Impacted a wide range of distributions and Android.
NSA SMBv1 exploit leaked by Shadow Brokers in 2017. Buffer overflow allows unauthenticated remote code execution. Instrumental in WannaCry and NotPetya. Spurred deprecation of SMBv1 and stronger patching practices.
Zero-click vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via crafted Word documents. Executes code through the ms-msdt protocol handler without macros. Stealthier than VBA-based attacks. Used in phishing campaigns before fully addressed.
OpenSSL flaw allowing attackers to read up to 64KB of server memory per request, keys, passwords, session tokens. Affected ~17% of internet servers at peak.
Critical RCE in Apache Log4j. A logged string containing ${jndi:ldap://โฆ} triggers a JNDI lookup; the attacker hosts a class on the referenced server that the JVM then fetches and runs.
Three chained Exchange vulnerabilities (CVE-2021-34473, -34523, -31207) allowing unauthenticated SYSTEM-level RCE. AutoDiscover and PowerShell endpoint abuse. Mass exploitation after Black Hat 2021 demo, web shells and ransomware staging.
GNU Bash flaw allowing arbitrary command execution via environment variables. Especially dangerous through CGI scripts. Affected web servers, routers, IoT. Exploits appeared within hours of disclosure. Drove broad review of UNIX-based software.
Hardware vulnerabilities affecting modern microprocessors. Exploit speculative execution to leak memory across trust boundaries. Affect Intel, AMD, ARM chips. Required firmware and software mitigations. Paradigm shift in how hardware-level trust boundaries are viewed.
Netlogon protocol flaw (CVE-2020-1472) allowing an unauthenticated attacker on the network to gain domain admin by exploiting a weakness in the AES-CFB8 implementation to bypass Netlogon authentication, then resetting the domain controllerโs machine-account password to a known value and pivoting to domain admin. Actively exploited soon after disclosure.
Techniques used to obtain, abuse, or manipulate identity data.
One common password, many accounts. The inverse of brute force on a single account, designed to avoid lockouts and stay under detection thresholds. A seasonal candidate such as Spring2024! tried once against every user in a directory will get a few hits and almost never trip a lockout, exactly the pattern that should appear in identity-provider logs when a spray is underway.
The opposite of password spraying: one account, many passwords. The attacker cycles through common candidates, password, 123456, qwerty, letmein, against one locked target. Lockout policies and rate limits exist to defeat this; weak detection lets it grind silently for hours.
The attacker never needs the plaintext password. The NTLM hash from host A authenticates against host B because the protocol treats the hash as the credential. Silent, irreversible until the password is rotated, and the backbone of many lateral-movement campaigns.
LSASS memory holds the credentials of every active session. Tools like Mimikatz read it directly and extract hashes, tickets, and (sometimes) plaintext. EDR catches Mimikatz-style reads by detecting unusual access to the lsass process.
With the krbtgt account hash, an attacker forges a Kerberos Ticket Granting Ticket that authenticates as anyone, for as long as they want. The only fix is rotating the krbtgt password twice, which is rare and disruptive.
The session cookie is the credential after login. Steal it via XSS, MITM, or malware, replay it from anywhere, and the server cannot tell. No password prompt, no MFA, just the cookie. Same SID, different person.
Discovering valid usernames or accounts by analyzing system responses during login attempts or other interactions.
Adversary gains unauthorized control of a userโs account using stolen credentials or session tokens to impersonate the user.
Usernames and passwords exposed, stolen, or leaked, enabling attackers to gain unauthorized access to systems or services.
Extracting credentials (hashes, tokens, tickets) from a compromised systemโs memory or files.
Stealing login information through phishing, malware, or system exploitation.
Forging Kerberos TGTs to grant unrestricted domain access by impersonating any user.
Injecting a stolen or forged hash into a systemโs authentication mechanism to impersonate a user without the plaintext password.
Targeting Kerberos service tickets to extract and crack service account credentials offline; often used for lateral movement.
Combining Pass-the-Hash with Kerberos by using NTLM hashes to request Kerberos tickets, bypassing some defenses.
Intercepting and relaying NTLM authentication messages to access resources without knowing the userโs password.
Using stolen password hashes to authenticate without needing to crack or know the actual password.
Using brute force, dictionary attacks, or rainbow tables to recover plaintext passwords from hashes.
Trying a small number of common passwords against many accounts to avoid lockouts.
Precomputed table of hash values used to reverse cryptographic hashes, recovering plaintext passwords more efficiently.
Taking over an active session by stealing or guessing session tokens or cookies, bypassing authentication.
Similar to Golden Ticket but targets Kerberos Service Tickets (TGS), giving access to specific services within a domain.
Like NTLM Relay, but specifically targeting Server Message Block to relay authentication requests.
Creating or modifying security tokens to assume the identity and privileges of another user or process.
Altering or forging tokens to escalate privileges or bypass security controls within Windows.
Unauthorized acquisition of authentication tokens from memory or storage, enabling attackers to impersonate legitimate users.
Code execution, injection, and process manipulation tactics.
A legitimate process is launched in a suspended state, its memory is replaced with malicious code, and execution resumes. To observers (and many EDR tools) the process still looks like the trusted binary: same name, same path, same parent. The shell stays the same while the contents are swapped.
A malicious DLL is loaded into another processโs address space. The injected code now runs with the targetโs privileges and trust, inherits its network handles, and survives in the loaded-modules list of a legitimate binary. EDR catches the injection moment; static tools see only a benign process.
Why install attacker tooling when Windows already ships with everything you need? PowerShell, certutil, rundll32, wmic, mshta, bitsadmin: every one signed, trusted, allowlisted, and bundled on every host. Same binary, different intent, no new file on disk.
Input that becomes code. Whether it is SQL, JavaScript, shell, or Python eval, the pattern is the same: untrusted text concatenates with logic and the interpreter cannot tell where the data stops and the program begins. Benign input and malicious input travel the same path; the difference shows up only at runtime, in what the interpreter actually does with it.
Inserting malicious code into a vulnerable application to execute arbitrary commands or manipulate program behavior.
Using legitimate command-line shells or scripting environments (PowerShell, cmd.exe) to execute commands, often to evade detection.
Injecting code into another running processโs memory space to hide execution and bypass security controls.
Injecting a Dynamic Link Library into a target process to execute malicious code within that processโs context.
Abusing legitimate system tools already on the host. powershell, certutil, rundll32, wmic, mshta, bitsadmin.
Using macros embedded in Office documents or other files to execute malicious code once the file is opened.
Exploiting Windows transaction mechanisms to execute malicious code under the guise of a legitimate process without modifying the original executable on disk.
A legitimate process is created suspended, its memory replaced with malicious code, then resumed under the guise of a trusted process.
Altering the name or appearance of a malicious process to mimic legitimate system processes, evading detection.
Stealthier DLL injection where the DLL loads itself into memory without touching disk, helping evade antivirus detection.
Executing code or commands on a remote system, often through vulnerabilities or remote management tools.
Loading and executing a malicious DLL or module through a legitimate application to bypass security controls.
Injecting malicious code into a running thread of another process for stealthy execution.
Mechanisms adversaries use to communicate with and control compromised systems.
Periodic check-in from an infected host to its C2 server. The cadence is the signature: regular intervals (60s, 5m, 1h) with consistent packet sizes betray a beacon even when the destination and protocol look legitimate.
The data is in the subdomain. aGVsbG8.dGhpcw.attacker.com looks like a DNS query to your firewall, but the labels are base64-encoded chunks of command-and-control traffic. Because DNS is rarely blocked or deep-inspected, the channel hides in plain sight. Long, high-entropy subdomains to the same parent zone are the canonical detection signal.
One domain. Six (or sixty, or six hundred) IPs rotating beneath it on short TTLs. Block one IP, the next resolution returns another. Defenders trying to take down the infrastructure canโt pin it long enough for a block to stick.
Instead of a hardcoded C2 domain, the malware computes a fresh list each day (or hour) from a seed. The attacker registers just one of the generated names. The malware tries them all; only the registered one resolves. Static blocklists never quite catch DGA-driven malware because the candidate names change continuously.
The beacon hides in normal-looking HTTPS traffic. To a proxy log, a C2 request is identical to any CDN or SaaS request: 200 OK, encrypted body, common-looking hostname. The beacon is indistinguishable from its neighbors at a glance, which is exactly why TLS-aware decryption and JA3 fingerprinting matter.
The SNI (and DNS lookup) point at a trusted CDN, so the firewall sees only the allowed front. Inside the encrypted request, the Host: header redirects to attacker infrastructure on the same CDN. That mismatch between outer and inner names is where the technique lives, and why most major CDNs eventually shut the door on it.
Periodic network communication from an infected host to a C2 server.
Hosting services known for ignoring abuse complaints and allowing malicious activities to operate with minimal risk of takedown.
Communication channel between an attacker and a compromised system used to send commands, receive stolen data, or control malware post-infection.
Proprietary or disguised protocols on unexpected ports (e.g., SSH on 8888) to evade detection that expects known service behavior.
Malware retrieves commands from content stored on legitimate platforms (Pastebin, GitHub, social media), avoiding direct connection to attacker infrastructure.
Abusing DNS to encapsulate and exfiltrate data or create covert C2, bypassing traditional network controls.
Algorithm generating many domain names on the fly, making C2 connections hard to block via static domain blacklists.
Using SMTP/IMAP to send or receive commands and data, hidden in attachments or content that blends with business traffic.
Sensitive data uploaded via HTTPS to attacker-controlled servers, helping evade content inspection.
Rapidly changing DNS records that rotate IP addresses for malicious domains, hiding C2 servers behind shifting infrastructure.
Standard HTTP/HTTPS traffic carrying C2, blending with normal web activity.
Embedding commands or data in ICMP echo packets (ping) to establish covert C2 communication that traditional firewalls often miss.
Mesh-like networks where infected systems communicate with each other to share commands and updates without a centralized server.
Abuse of Slackโs APIs, webhooks, or tokens to create covert C2 by embedding commands or exfiltrated data within messages or bots.
Using Twitter, Facebook, Instagram to post encoded commands or retrieve data via posts, images, or profiles on trusted domains.
Leveraging Telegramโs bot API to issue commands or receive data, creating C2 over an encrypted, trusted messaging platform.
Leveraging Tor to anonymize attacker and malware communication, making attribution and traffic analysis significantly harder.
Attacker behaviors focused on stealing, leaking, or exporting sensitive data.
The deliberate, unauthorized transfer of data out of the network. Sensitive files leave through whatever hole the attacker can use, encrypted upload to a cloud drop, DNS tunnel, or a slow drip below the DLP threshold. The real signal is usually a small one, repeating, in a direction the network was not expecting.
An incident where an unauthorized party gains access to protected or sensitive data, often involving large-scale loss of personal or organizational information.
Deliberate and unauthorized transfer of data from a system or network to an external location.
Data left accessible without proper controls, often due to misconfigurations like open cloud storage or unsecured APIs.
Automated or bulk collection of data via scrapers, malware, or scripts, often used for profiling, fraud, or resale.
Unintended or accidental release of sensitive data, often caused by human error, misconfigured systems, or negligence.
Stealthy exfiltration techniques such as covert DNS queries, encrypted uploads, or embedding in benign-looking traffic.
A system or application reveals internal details, sensitive metadata, or user data, often as part of a vulnerability or misconfiguration.
Unauthorized access and removal of sensitive data by a trusted internal party with legitimate access.
Data intercepted while being transmitted across a network without proper encryption or integrity checks, vulnerable to MITM or sniffing.
Sensitive or regulated data stored in unmanaged, forgotten, or unsanctioned locations, abandoned cloud buckets, rogue spreadsheets, old backups.
Compromise or exposure of sensitive data caused by a breach, misconfiguration, or negligence on the part of an external vendor or partner.
Leakage involving documents, logs, screenshots, audio, harder to classify or monitor using traditional DLP tools.
Methods for avoiding detection and blending into normal activity.
The malware rewrites itself on each generation, different hashes, different bytes, identical behavior. Signature-based detection sees four โdifferentโ samples; behavior-based detection sees one campaign. The hash on the left cycles while the behavior box on the right stays static. This is why TTP-based hunting outperforms IOC-based for sophisticated adversaries.
Most sandboxes are not very lived-in. They have small disks, brief uptime, no mouse activity, suspicious driver names, and known artifacts. Malware that runs the checks above will sit silent in analysis, then unfurl on a real userโs host.
Attackers rewrite the MAC (modified / accessed / created) timestamps on dropped files to a date that matches everything around them. A binary that โshipped with Windowsโ in 2009 wonโt catch the eye of an analyst scanning recent-changes lists. Same bytes, different forensic story.
โLiving Off the Land Binaries.โ Trusted, signed, ubiquitous, and weaponized for every step of an intrusion. Allowlists wave them through; the binary on disk is fine. The malicious part is the argument line. A process list that looks clean at a glance can have every entry being abused.
Abuses Windows Application Compatibility Infrastructure (shims) to inject malicious code or maintain persistence.
Adds non-functional data or junk code to malware files to change their hash and avoid signature-based detection.
Code is deliberately scrambled, encrypted, or disguised to make analysis harder and evade static analysis engines.
Switches out C2 domains regularly to avoid blacklisting and detection.
Malicious commands hidden using encoding (Base64), string concatenation, or misleading syntax to bypass command-line monitoring.
Non-standard encryption schemes that wrap malicious traffic to avoid detection by DPI or SSL/TLS inspection.
Sensitive data collected and stored locally in chunks before exfiltration, avoiding large, sudden transfers that DLP would flag.
Malware waits for a specific trigger (time, date, keyboard input) before executing, bypassing sandbox environments.
Disguises the true destination of HTTPS traffic by routing through a legitimate front-facing domain.
Payloads encoded (Base64, XOR) to hide true content until runtime, evading static detection.
Malware inspects its environment (VMs, debuggers) before running to avoid sandbox analysis.
Rapidly changing IP addresses associated with a single domain to avoid IP-based blocking and takedowns.
Files disguised with misleading extensions (e.g., invoice.pdf.exe) to trick users and bypass basic file-type filters.
Legitimate built-in utilities (PowerShell, certutil) used maliciously, blending with normal operations.
Performs actions gradually or in minimal increments to remain under detection thresholds.
Disguises a malicious process or file by renaming it or giving it the appearance of a trusted application.
Injects code directly into memory rather than writing to disk, avoiding file-based detection.
Spawns processes that appear to be launched by trusted executables (like explorer.exe), misleading analysts and EDR.
Encapsulates malicious traffic within legitimate protocols (HTTPS, DNS, ICMP) to bypass network detection.
Executes malicious code through trusted signed binaries (rundll32, regsvr32), exploiting inherent trust.
Changes MAC addresses to impersonate other machines or confuse device-based monitoring.
Uses legitimate-looking subdomains (e.g., cdn.dropbox.com.evil.com) to trick filters and users.
Alters file timestamps to make malicious activity appear older or less suspicious.
Schedules or delays actions to avoid time-sensitive monitoring tools or activate only during specific conditions.
Combines multiple benign or low-privilege roles that together create excessive and dangerous access to sensitive resources.
Alters HTTP headers to mimic trusted applications or browsers, blending into normal web traffic.
Malware detects sandboxes or VMs and refuses to execute, hiding true behavior from automated analysis.
Uses complex or hidden WMI commands to evade detection and gather data stealthily.
Entry vectors and tactics used to gain a foothold in a system.
Deceptive messages that lure users into clicking, opening, or entering credentials. The bait is the email; the line is the trust the sender impersonates; the catch is initial access.
Donโt go to the targets. Wait at the website they all visit (an industry news source, a community forum, a vendor portal), implant a payload there, and infect everyone who shows up. Originally a metaphor; now a mature tradecraft used in espionage.
The vendor ships the malware for you. A signed, trusted update flows through normal channels to thousands of customers, every one of them welcoming it. SolarWinds, ShadowHammer, 3CX, M.E.Doc, different names, same shape.
The attacker is not guessing. They have leaked credentials from somewhere else. They replay them at scale against your login page, betting that ~1% of users reuse passwords across sites. Rate limits and MFA stop most of this; password reuse is what feeds it.
Systematically attempts many password combinations against accounts or services until successful authentication.
Automated injection of stolen username-password pairs into login forms, relying on credential reuse.
Malicious code automatically downloaded and executed simply by visiting a compromised or malicious website, often without user interaction.
Malware or exploit code embedded in an email attachment that executes when the user opens the file.
Targets vulnerabilities in externally exposed applications (web servers, APIs) to gain unauthorized access or RCE.
Malicious advertisements on legitimate websites that redirect users to exploit kits or deliver malware.
Deceptive emails or messages tricking users into revealing credentials or downloading malware.
Gains access via Remote Desktop Protocol, then uses it to move laterally or reach other internal assets.
Manipulates people into performing actions or revealing information by exploiting trust, fear, urgency, or authority.
Targeted phishing customized for a specific individual or organization to increase success rate.
Targets third-party software or service providers to insert malicious code or access downstream victims (e.g., SolarWinds).
Registers look-alike domains to trick users into visiting malicious sites, often to harvest credentials or deliver malware.
Malware delivered via infected USB drives that automatically executes when plugged in.
Compromises a website frequently visited by a target group, embedding malware to infect visitors.
Phone calls or voicemails impersonating authority figures or institutions to extract credentials or prompt unsafe actions.
Spear phishing targeting high-profile individuals like executives, often for financial fraud or data theft.